7 Reasons Why Your Company Needs a Privacy Policy
Like Phones, Privacy Policies Should be Easy to Use, with a Complex Infrastructure
Non-attorneys are often (justifiably) baffled at why lawyers take 3,000 words to say what normal people say in 300 and a handshake. At the risk of defending verbosity, it turns out that behind each handshake contains a wide range of non-standard assumptions. Many (if not most) disputes arise when there is a misunderstanding about an unspoken assumption—the meaning of a word, or silence on a particular issue. That’s why it takes lawyers so many words to say something so simple; simple things are more complex than we thought.
Consider the telephone—an elegant piece of equipment which is exceedingly easy to use. Yet the infrastructure and technology supporting telephony and networking is extremely robust and complex. Consumers pay the telcos to worry about the millions of miles of copper and fiber, routers, substations and central offices. The infrastructure isn’t a “necessary evil,” it’s just necessary.
Into the Breach – Audio Series – Chapter 8 (Measuring Success)
Welcome to the continuation of the Into the Breach: Protect Your Business by Managing People, Information and Risk audio series. (Click this link) to learn more about this how this book solves today’s challenges and pick up a complete copy. This series, underwritten by Configuresoft, now part of EMC, is the full and unabridged audio version of Into the Breach, written by Michael Santarcangelo and read by the author. Join us for a new chapter released on the first Tuesday of each month (there are 13 chapters total).
What you’ll find in this episode (Chapter 
The strategy has been revealed. The fundamentals of what is now The Catalyst Method have been shared (note: if you want the update on The Catalyst Method, drop me an email). The key considerations for a pilot shared – and now it is time to measure success.
So how do you measure what matters so you can communicate what counts?
In this chapter, “Measuring Success,” Michael draws on his background of social science and economics to explain a powerful approach to measuring success. Learn how to use the right mix of qualitative and quantitative measurements to get the feedback necessary for success.
Learn how to measure what matters and communicate what counts.
You want more, so after listening…
After listening to this segment of Into the Breach, keep the energy going and support the shift in thinking and inspire behavior change by
- Engaging (not following) Michael on twitter (http://twitter.com/catalyst)
- Subscribing to The Security Catalyst podcast & blog to get more insights
- Learn more about The Catalyst Foundation Series – proven success for security initiatives to excite, ignite and turn insiders into allies who reduce business risk!
Go deeper Into the Breach with Michael Santarcangelo with EMC
Each month, EMC pulls back the curtain and provides more insights and a deeper discussion with Michael Santarcangelo about the elements in this chapter. Learn how to harness the power of their people to inform and improve the risk management process in a matter of weeks. Go to www.configuresoft.com/securitycatalyst today to register now and listen to the recorded sessions from before and get access to the latest session.
Podcast: Play in new window | Download (10.6MB)
Organized Fraud Prevention: Putting the L.E.D.E.R To Work
By Sharon M. Shaw, CFE
The Pink Boot (its real)
Preparing for successful fraud prevention is like preparing for a first child: the environment is carefully scoped out from the child’s level, and anything that could possibly cause the little darling harm is removed. Drawers and cupboards are locked and anything valuable is put out of sight.
After the first child, prevention becomes more proficient: obvious dangers — and some not so obvious ones — are known and accounted for. For example: even though a 250lb, six foot tall man cannot get the paint can open, a three-year-old will — within seconds — and no matter how wonderful neon pink looks on the walls, it doesn’t look quite the same on Daddy’s new work boots, or as footprints on the new carpet.
Fraud prevention is similar to childproofing.
Unfortunately fraud footprints are not neon pink and are not always obvious. They can, however, be prevented with some basic common sense. The environment needs to be examined from a potential fraudsters perspective; lessen any obvious risks, and plan for the not so obvious risks.
I have developed a five-part system, dubbed LEDER (pronounced LEADER), to help with this process:
- Look
- Exploit
- Define
- Explore
- Re-Evaluate
LOOK at what rules are currently in place
First of all define what fraud or wrongdoings are within the organization.
There is no one-size fit’s all: every organization is different and what is acceptable to one company or organization is not acceptable to another.
Does the organization have an ethics policy?
The ethics policy should clearly define what is acceptable behavior, be easy to understand and follow, and should be adhered to from the top down and bottom up.
Many ethics’ policies say wonderful things but do not clearly define boundaries. They are often generalized with no real meaning to individual employees. A compliance officer’s definition of ethical behavior may be different than a sales agent’s view when he or she is trying to meet the monthly goals.
Push the Boundaries and EXPLOIT rules
Permission granted to behave like a three year old – exploit the defined boundaries.
See how they measure up to everyday protocol. Are they adhered to vigilantly or are deviations used to make the process smoother? Where does the system break down?
Set the standard, DEFINE the intended rules in plain language
Without a policy that clearly defines boundaries, it is difficult for people to do the right thing even if they want to. It’s like being blindfolded and told not to walk off the cliff. Ethical standards need to be set throughout the organization if fraud prevention is to be successful. A well-written policy that clearly defines what can and cannot be done has little meaning if the CEO does not adhere to it, or the top sales person regularly violates it with no consequences.
EXPLORE, the magic eight balls says…
Brainstorm and explore the unknown.
Pull out the ethics policy and look at it objectively. What does it really say?
Does it clearly say what can and cannot be done?
What does “Protect and ensure proper use of company assets” actually mean? Maybe it is okay to use the company fuel card to fill up personal vehicles; after all, the card was kept safe and only used for its intended purpose.
Plan for the unusual (but believable).
The more events that are planned for the more likely the organization is to stave off fraud in the future. Creating extra steps to obtain valuable information or assets will deter would be fraudsters since most fraudsters follow the path of least resistance.
Organizations whose employees clearly understand the ethical values of the company, and adhere strictly to them, have a far better chance of preventing and detecting fraud than a company who has a well-written ethics policy that nobody really understands.
RE-EVALUATE and adapt
Were procedures exploitable?
Are there possible events that were not planned for?
Successful fraud prevention requires that knowledge be turned into power. To have power against fraud, policies and procedures must be continually re-evaluated to ensure they are resilient. Look again; what can be adapted to thwart those magic eight ball scenarios.
By “following the LEDER” it is possible to get better results:
- Look – What have you got?
- Exploit – Can it be broken?
- Define – What do the rules really mean?
- Explore – What could happen
- Re-Evaluate — Redefine policies so there are fewer opportunities for fraud to occur. .
Share your experience in the comments below.
Knowledge is power and together we are stronger in the fight against fraud.
Leading from the Front: Bringing Planned Disruption To The Organization
By Martin Fisher
What is the most important job/function of a leader?
- Inspire the team?
- Use resources effectively?
- Make tough decisions?
- Set an example?
- Develop others?
All of these are good answers and are important things for a leader to be sure they are accomplishing in an organization.
But none of these is the most important answer.
The number one job of a leader – the reasons leaders exist – is to bring change to organizations.
“That’s silly!” – is a common reply I hear when I make the statement.
“Leaders only bring change if change is what the organization needs. They assess the situation, analyze their resources, and only make changes if there is a reasonable chance of the change improving the organization.”
My response to that, in the words of my teenaged daughter, is “Pssh!”.
Change: If you aren’t doing it, you’re doing Leadership wrong.
Effective leaders are never satisfied with the status quo.
Of course, leaders will continue to celebrate good performances, boast the capabilities of their team, and value the circumstances they find themselves in. But more, a leader has the ability to see and accept the organization as it is and form a clear vision for how the organization can (and should) be.
Leadership, a friend once told me, is the where the science of the possible meets the art of the dream.
Leadership is the nuanced ability to see what could be and come up with the plan to create it out of what is already in existence. Effective leaders almost instinctively realize that slow and incremental change is a prison and that the only escape is dramatic and disruptive change.
Leadership is “Disruptive change?”
That’s crazy talk!
Look at all the people who lost or almost lost everything to disruptive change: New Coke…Webvan…the Pontiac Aztek…Hooters Air…
Only a fool or a liar would say there is no risk to disruptive change. But there are things you can do to minimize that risk:
Think, Rethink, and Rethink Again
The leader has to be completely honest with themselves about the environment they operate in, the resources available, and the chances of the disruptive change actually taking effect.
This thinking must be complete, honest, and is not done until the leader understands the environment completely.
The leader then needs to find a small group of trusted other leaders that they can toss the idea to with the intent of these other leaders shooting it so full of holes that almost nothing remains.
Whatever is left — whatever survives the onslaught — forms the base of the next round of thinking. Once the thinking is done the thoughts have to be able to be put into simple and actionable statements:
- Changing the organizational structure? Then create a org chart to talk to and demonstrate.
- Changing processes? Then show a picture that details before and after with the benefits.
- Changing the mission? Then create a succinct mission statement and show what is being changed and why.
Whatever the change, come up with a picture (1 slide, please, not a full deck – that’s for later) that can be used to explain the “why and how” of the change.
Talk the Team Through The Change
The worst thing to do once the thinking is done (you think) and the picture is ready is to simply dump the change on the team.
One of the biggest (and, sadly, most common) mistakes leaders make is to forget that, while the leader has been thinking through this change for weeks, the team just got told of the change and needs time to process and unpack it. They deserve the chance to see what the change is, how it impacts them, ask questions, and get answers.
The effective leader is able to effectively communicate the change to the team.
Using the picture of the “how and why” to show the team how the change will impact them and how it helps getting team goals accomplished.
Then step back, listen, and engage in the conversation. Remember – the team knows the system and might reveal something to tweak the change. In fact, this could be the difference between success and failure.
“That sounds an awful lot like sales! If I wanted to do sales I’d of taken that job with my cousin at the furniture store!”
Is it like sales?
Well, if “sales” means influencing people to see things from different perspectives – then yes.
But I prefer to think of it as “Casting A Vision” – which is what we’ll talk about next time.
Data Cleanup Part 1: Primary UserIDs
Welcome to the February issue of Identity Management in 13 Easy Steps. In most parts of the country the weather is cold and dreary, and what better weather for an ID cleanup? 
clean the data
So roll up the sleeves, find the glasses, and brew a lot of extra-strong coffee – it’s time to tackle those primary userIDs.
Primary userIDs – what are they?
A primary userID is the main ID that each user has in an organization. This is the one ID that they *should* have on all systems, although that is often not the case. Typically, the primary ID is the user’s network ID – that is, the ID that each person uses to log into their computer in the morning, and probably also to log into their email. Many organizations call this the LDAP ID or (for Windows-heavy shops) the Active Directory ID. Organizations that are mainframe-heavy might store their primary IDs on the mainframe.
The task at hand
On the surface, this month’s activity is simple: correlate each user’s primary ID with their name and other identity information, as this will be the basis for the identity repository going forward. Hopefully everyone’s primary ID is already stored electronically somewhere (at least in a spreadsheet) and there is some useful data already associated with each ID – like a name, an employee number, or other identifying information. If not, well, that’s where the extra-strong coffee comes in (or maybe decaf would be better?).
The task may be easy to describe, but there are three significant challenges in this cleanup process:
Challenge #1: mapping primary IDs to people
It is likely that the list of primary IDs (assuming it exists) is missing information, or has data that’s so outdated as to be useless. Worse still is a list of IDs without any information (who are bassfisher68 and jedimaster84?). Equally frustrating is the same-name problem: how many John Smiths, Trong Nguyens, and Juan Gonzalezes are in your organization… and whose name goes with which ID?
Challenge #2: are they even still here?
It is often hard to map IDs to people when the ID has persisted, but the person is long gone. Even more doubt is created when the ID belongs to someone with a common name.
Does jsmith3 belong to that contractor that was in here 2 years ago, or does it belong to the guy downstairs in accounting?
A nasty – but necessary – part of cleaning up primary IDs is identifying orphaned accounts that should no longer be active. On the upside, this is a healthy security exercise that often gets put off – after all, who wants to deal with the screaming users when the wrong IDs get disabled? But for identity management to work, this HAS to be done – no more excuses or avoidance!
Challenge #3: mapping primary IDs to primary sources of record
Once the IDs are mapped to the correct names/people and orphaned accounts are retired, it’s time to map the IDs to the corresponding accounts in the sources of record that were identified in last month’s exercise. Remember, identity management is just a facilitator of actions. A key integration is between identity management and the HR system, as that enables the automation of access creation and removal based on hire, transfer, and termination events in the HR system. Identity management can also facilitate the auto-provisioning or password self-service of a user’s other accounts (like email) based on proper linking.
The biggest difficulty in this exercise is typically matching the userID with the right HR record, due to potential differences in legal vs. preferred name. Very often, email addresses and userIDs are set up based on the individual’s preferred name (e.g., Mike, Trish, Betsy), whereas the HR record will contain their legal name (e.g., Michael, Patricia, Elizabeth).
Is Mike Smith the same guy as Michael Smith – or not?
Guessing is not allowed here – matching up the wrong user with the wrong HR record can have very serious consequences. HR doesn’t take kindly to people seeing each other’s salary information. Getting someone else’s email is generally frowned upon as well, especially if some new junior analyst was confused with a senior VP (believe me, this has happened more than once!)
Approach
There is no *right* or *easy* way to execute this cleanup.
With little starting information and/or a large user base, this will be a painful and time-consuming process, but here are some things to help get organized:
- Determine the data set that is needed. Make sure it is the bare minimum to start because once identity management is implemented and the records are linked, a lot of additional information will populate automatically. The goal here is to identify which data points are needed to accurately link records between systems – nothing more
- Start with the cleanest source of record to build some momentum. While this is often the HR record, sometimes email is the best bet. Other sources may also be appropriate (like the mainframe). In general, the cleanest sources of record are ones that are carefully controlled and well automated in a database or a repository.
- Enlist the help of someone good at scripting to automate some of the searches and comparisons. Done right, this saves immeasurable time!
- Communication is key!
- Make sure the user base knows a cleanup is underway and why it benefits them
- Solicit assistance from department heads – they can help identify users and their correct/current information
- Ask the leadership to alert their people that they may be polled for information, and specify the name of the team that will do the polling (provide the names of individuals if possible). Users need to know that these requests are legitimate and not a phishing attempt (especially if they just attended training on phishing or Michael has already worked to improve your awareness program)
- Communicate the cleanup process to the leadership so they know the who, what, where, when and why of the effort. This is especially important when the team ends up with a pool of orphaned IDs and no other means of research. The only remaining option is to deactivate those accounts and see if anyone complains. Management needs to understand and support this decision before it can be executed
- Don’t be afraid to disable IDs if reasonable research has not yielded results. Researching identities is extremely time consuming – there is a point where enough is enough, and the security risk to the company should outweigh the brief inconvenience that a handful of users may experience
- Engage HR representatives and local technical support personnel. They tend to know the users personally, and can be of great help identifying them
If existing records are already in pretty good shape, sit back and smile smugly while everyone else beats their head against the wall for a while.
Keeping it clean
If there is no current identity management system in place, it is important to keep the new repository of primary userIDs reasonably clean until the new system is in place. Otherwise this fun exercise will need to be repeated.
Staying up-to-date manually requires a process to keep user data in good repair but the process should not be complex or labor intensive. Do the bare minimum necessary to keep the data decently clean. It’s OK if it’s not perfect – a small final cleanup is inevitable.
A word about userID naming standards
If this process reveals the lack of a userID naming standard, or a standard that no longer makes sense for the organization, this is the right time to establish a new, sensible one. This is a large and painful exercise in and of itself, but it is far better to enter into an identity management implementation with a solid and appropriate naming standard than to try to fix it later.
Here are the things to consider:
- Grandfathering existing users vs. making them change their ID to match the new standard
- Unless there are specific technical reasons for converting everyone, I recommend grandfathering. A primary ID can be created in identity management in the new format and mapped to the untouched existing IDs. This meets the needs of identity management while minimizing impact on the users
- Helping users with multiple ID formats across various systems consolidate to one ID format
- Although this can be a little painful, many users are happy to undergo the initial challenge in exchange for not having to remember which ID to use on which system
- Having different ID formats for employees vs. non-employees
- I recommend not doing this. Having visual segregation of ID is much more important in a manual paradigm. With identity management there are many ways to identify a user’s employment status without segregating by ID, and having different ID formats causes more problems than it solves
- Make sure that the selected format will work on all systems – including those legacy dinosaurs with all their length and character limitations
- If you choose to have userIDs based on name, establish a clear policy about changing the ID in the case of marriage, divorce, sex change, etc.
- Changing someone’s display name is easy. Changing their userID can be tricky, because on many systems this isn’t possible –the old ID has to be deleted and a new one created, which leaves a lot of room for error in copying permissions, files, scripts, etc. However, some people feel very strongly about their name, especially after a nasty divorce or a sex change, so there has to be a provision for this
- Make sure the new naming standard scales adequately for the expected growth of the company, and that it addresses situations where users may need more than one ID, or where individuals have the exact same name (possibly even same middle name or middle initial)
Parking Lot
Doing a userID cleanup of this nature can uncover all kinds of interesting issues – like fields being used to store data that they were not meant to store, IDs being created through unofficial channels that probably shouldn’t’ve been created, etc. Some of these discoveries might be security risks, some might just be sloppy administration, and still others might impact the identity management implementation down the road. In any case, it is important to document these discoveries along the way and do something about it – even if that something is just notifying the responsible manager.
Action Recap
This month, we covered the following key actions:
- Identify the primary ID, and determine who owns each ID
- Identify and retire obsolete IDs
- Connect primary IDs to the appropriate records in the target systems identified in last month’s exercise
- Develop (and use!) a process for keeping the IDs clean until identity management can take over
- Make sure the current ID naming standard is adequate and fix it if it isn’t
None of these actions is quick and easy, but getting them done sets a firm foundation for a successful identity management implementation.
How can I help?
Do you need some clarification or additional assistance? Do you have an experience to share with others? Leave a comment below so we can all improve together.
Personality types: Your key to better business relationships
by Trish Smith
If there’s one lesson Michael Santarcangelo has taught me, it’s that security (and business) aren’t just “about business”. They’re about people. People who we get along with, people who we (as much as we might not like to admit it) don’t always get along with. But unless we’re Steve Jobs, we don’t have much choice who we need to interact with (and I’ll bet even Steve has to deal with people he doesn’t get along with too well, sometimes).
It’s about the people, stupid.
This article shares information to become more flexible, adaptable, and resilient in dealing with others.
Imagine the power of being able to predict, prevent, and resolve conflicts. How about improving communications with co-workers, clients, and peers?
This might sound like a pretty big claim, but when learning about personality and how it determines the ways people interact, this information is invaluable.
What is a “personality type”?
In modern psychology, there are two ways to think about personality: “traits” or “types.” Personality trait theories suggest two people can both be extroverts, but be very different in terms of how strong the trait is in their personality (for example, Bob and Mike might both be extroverts, but the trait is much stronger in Mike than it is in Bob). This view of personality sees it as existing along a continuum, rather than as an “either/or”.
“Personality type” approaches suggest people either have a characteristic or not. An individual is an introvert or an extrovert, assertive or passive, someone who works well in groups or not. This view is the more popular one among those who study personality today, and as such, is the one we’ll explore in more depth.
Defining the Type
The most common instrument to measure personality type is the Myer-Briggs Type Indicator (MBTI). It’s widely used by businesses (and individuals) to better understand personality. It usually consists of about 70 questions that ask you about your likes, dislikes, opinions, and personality characteristics. It then groups people into several “types” based on four personality traits:
- Extroversion/introversion (need external contact to recharge, or time alone?)
- Intuition/sensing (trust more in own feelings or in external observations?)
- Thinking/feeling (the dominant force relied upon to make decisions?)
- Judgement/perception (the need to organize life or let the chips fall as they may?)
Although it would be useful to be able to administer this test to everyone we deal with day-to-day (as impractical as that might be), it’s not necessary.
Usually, it’s enough to simply understand which of the different personality types someone is, and keep that in mind when dealing with others. For example, recognizing that a team member is closer to the “judgement” end of the judgement/perception scale will help explain why they need to research and plan out every move of the project.
We can understand other people’s personality differences without making value judgements. John isn’t trying to drive you crazy by going with his feelings on a decision; he’s simply on the “feeling” end of the thinking/feeling scale, and that’s how he makes decisions.
This knowledge reduces frustration and improves approach to others – especially if an action is needed on their part.
Learning how to type others
So how do we figure out which personality type someone is?
We can’t very well hand everyone a Myers-Briggs test (although if the topic is brought up, it’s likely that at least one person in the group will volunteer not only that they have taken the test, but what their result was: That they are an “INTJ”, for example).
Observation is the key to success.
People’s personality comes out in a variety of ways, even when the person isn’t aware. Everything from personal style (how they dress), to their environment (how they set up their office), to social signals (verbal and nonverbal communication), reveals information about what personality type they are.
Want to type someone out?
Listen.
Watch.
Observe the things people are doing.
Recipe for Success
Then it’s simply a matter of being conscious of others’ personality styles and how your own (yes, you have a personality style too!) interacts with theirs, for good or for ill.
If you can do this successfully, it becomes easier to do all those neat things mentioned earlier – become more flexible in dealing with others, resolve conflicts, and improve communication with everyone.
So tell us – do you try to be aware of different personality types in your day-to-day life? Has knowing someone’s personality type ever helped you in your work, or has the converse ever happened – not being able to understand another’s personality style negatively impacted your business? Share with us in the comments!
Giving back: The Catalyst Career Compass Program
Giving back: The Catalyst Career Compass Program
What started as a way to help friends improve their careers has started to turn into a full-fledged program called the Catalyst Career Compass™.
Over the last few years, I’ve slowly worked through the elements to help friends – and each time I promise to make the approach public. Last weekend, I was called on my promise (thankfully) and decided to open it up.
More, with the help of Andy Willingham, Kevin Riggins and others, we are preparing to relaunch and improve the Security Catalyst Community. When we relauch (hoping for Q2 but the timeline is not defined), new opportunities for members include the career compass program that leads to a mentoring program.
We’re all excited about the program and the possibilities.
In the meantime, we have colleagues who need a boost – they need to build, calibrate and follow their career compasses.
This is a new program – so I am open to a small group of people running through the elements for their own benefits, and to help shape the elements that will be incorporated into the community. In fact, I’d like to figure out how to train others on the approach and work as a community to help each other out.
So it starts now.
And we’ll start small.
For now, no charge (money) to partcipate — but there is a cost. If you are interested, send me an email (securitycatalyst/gmail) or engage me on twitter (http://twitter.com/catalyst) and let’s discuss. We have to keep the initial run small, and we need people who are willing to participate fully and work through the entire system.
More details below:
Career Compass Overview
Whether you are currently a Security Professional or want to become one, this highly flexible program will help you set and meet your professional ambitions while serving lifestyle goals.
Set your Career Compass:
- To prepare for a raise
- To receive a promotion
- For career development
- If you are ready to move into the security field
- To find a new position (within your current company or outside it)
Determine your path and venture forth.
Setting Your Career Compass is a multi-faceted program to help you refine your career objectives and realize them.
It is a three-step process.
1. You will first think about and answer a series of questions about yourself, your ideal working environments and your future. We help you align your answers – the ‘who you are’ – with what you have done and where you would like to go.
2. Then we prepare you to effectively communicate your value to the right audience. With guidance you will build a personal brand in the form of a resume, bio, cover letter and whatever else is needed for you to reach your goals.
3. With all the background work complete, we will help you follow the compass you built.
We do not judge.
Everyone thrives in different situations and has different desires in life. Our passion is to help you find the unique value you bring to an organization and position yourself for success.
Why the Compass approach works.
We guide you through a process that helps you explore your strengths, values and goals. As a result, you will understand yourself better than simply listening to someone tell you what they think, based on a questionnaire.
You will be self-aware.
You will have the clarity required to communicate your value effectively. After guiding you through this exploratory process, your Career Compass helps you position and differentiate yourself from others in a strong finished package – written and oral.
The program will help you craft a resume that is simple, powerful and designed to attract the attention of the “right” people. It will help you market yourself better and guide you to greater success.
How much time does this take?
Like most things in life, the more you invest into this program, the more you will get out of it. It is recommended that you budget 3-5 hours to complete step one, 3-5 hours for step two and 3-5 hours to begin step three.
Step three is ongoing but 3-5 hours gets people where they need to be. Some will breeze through the process. Others will need more time. There is no right answer, but the time you invest in yourself will pay off down the road.
How to Avoid a Legal 500 Error With Your Privacy Policy
Avoid a Legal 500 Error. Debug your privacy policy.
Legal Programming
By Aaron Titus
I’m an awesome programmer. The only thing keeping me from Python, PHP, or Ruby coding awesomeness is knowledge… and skill… and training… and, um practice. OK, I may not be a Ruby all-star, but I could be if I wanted to. Likewise, you can do anything for yourself that an attorney can do for you, including writing legal documents. Lawyers just happen to have knowledge, skill, and training. And if I wanted an iPhone app, I’d talk to a programmer. If I wanted legal documents, I’d talk to a lawyer.
In fact, lawyers are programmers. Writing legal documents—like privacy policies—is just like writing code.
Security From Scratch: Using Compliance For Good
by Dennis Kuntz
“This isn’t just a legal compliance issue for us. We consider the privacy issue to be an opportunity to reinforce our brand image.” – Tom Warga, SVP and General Auditor, New York Life Insurance Co.
Early in my career I accepted a job rich with challenges and opportunities. It was for a bank that was not yet Y2K compliant (and yes, this was pre-2000), was under a cease-and-desist order from the Office of Thrift Supervision (OTS) and had a very inefficient system that needed to be rewritten from scratch – from the front end all the way to the back.
They wanted the system completed in technologies with which I was cursorily familiar (though I at least had industry experience). In addition to rewriting the system, I was also starting it months after the OTS had wanted new “financial systems” to be completed (which did not enhance their patience in dealing with us).
On my first meeting with the auditor for the OTS to lay out my plan, I thought I’d break the ice by cracking a joke. I told him, “It’s not Y2K that worries me. It’s Y10K – those 5 digit years are going to be a bear.”
My attempt at humor was met with a blank stare, an uncomfortable silence, and then a humorless statement about the requirements we needed to fulfill.
This set the stage for my first real introduction to compliance – putting it in place, those that enforce it, and those holding you responsible for the first two items.
Putting Compliance In Its Place
Focusing only on compliance almost by definition limits its usefulness.
Many compliance standards change in order to encompass tactics that have already been tried. Bruce Schneier has covered this concept within the context of terrorism and explains how ineffective it is.
However, most compliance standards also have a “spirit” (or intent) in addition to the “letter of the law”. For example, HIPAA aims to protect “individually identifiable health information”; PCI aims to protect cardholder data, etc. By focusing efforts on embracing the spirit of the compliance standard, the end result is “compliance” and a vastly superior job at actually protecting information.
Answering for Your Efforts
Having to “answer for your compliance efforts” doesn’t always mean an audit.
Sometimes there is an internal role that oversees compliance efforts for the whole company. In my opinion, the best way to deal with anyone whose job it is to judge your efforts is to be honest (of course), but in a way that first seeks to understand their role.
When dealing with an auditor, try to understand what it is they are looking for (fellow contributor Jim McFee does a great job of explaining this perspective).
Often, auditors are looking for proof the “letter of the law” was followed, or otherwise properly addressed. By understanding the auditing procedures and general expectations regarding the compliance standard it is possible to position actions in a way that make sense, demonstrate compliance and reduce friction.
The advantage (albeit sometimes hidden) when working with an internal colleague is the simple fact that everyone shares the same corporate goal: achieve compliance and protect company information. Working toward a common goal makes a difference (along with a deep breath and sometimes a squeeze ball).
Using Compliance for the Greater Good
Information security compliance standards almost always received the attention of those who may not normally be focused on information security risks: legal, management, etc. This is primarily because of the legal and financial implications of not obtaining or maintaining compliance.
This can be an advantage to manage the company’s risk.
Not only may decision makers be more willing within the context of a compliance effort to spend money on information security, but they may also be more open to education and awareness efforts.
Ultimately our job is to protect company assets and help to manage risk.
While on the surface compliance can simply be a necessary evil, when looked at with some creativity, most compliance efforts present opportunities to improve the security posture of your company beyond the requirements themselves.
Is Cloud Computing Right for Your Business?
By Craig Nelson – special guest to The Security Catalyst
Is Cloud Computing right for your business?
Cloud Computing.
Is it right for you? Sure.
Is it right for your business? <crickets>
By now, many have adopted a “cloud”-based service for personal use (sometimes without even realizing it). The definition of “cloud” can be a bit fuzzy at times, but to keep it simple: it’s a service provided over the Internet (“the big cloud”). This cloud includes services (from “smaller clouds”) from providers that offer hosted email, backups, document editing, picture sharing, and even password storage.
By linking all of the “clouds” together via fancy software (running on our desktop or elsewhere), our computing experience is much more fulfilling (and certainly more complex).
Given the vagueness of the definition, we can all rest assured that we are on the cutting edge by using “clouds” for our personal productivity.
But, when will “the cloud” be adopted and considered mainstream by the small, medium, and enterprise businesses of the world?
Three reasons businesses choose the cloud
The business reasons cited for using “the cloud” are likely one or more of the following:
1. Lack of time or expertise (including security) to build and maintain an in-house solution.
2. Seeking the advantage/speed of new features that are released quickly.
3. It’s cheap (either free, or subscription fees).
Beyond simple points, consider the depth and complexity of each.
Software technology can be complex to learn, install (correctly), and run (correctly). It only takes one mistake to reinforce the fact that essential tasks — such as patching, backup and restore, and monitoring — are expensive and time consuming.
With a finite amount of time and resources, many chose to focus on the business and leave the technical challenges to someone else (the cloud provider).
At the end of the day, this boils down to ensuring the service is running with the right features to drive a fulfilling and non-frustrating computing experience.
Can the cloud be more secure?
Many security breaches are due to improper configuration and lax administration and maintenance.
These issues can be pushed into the providers hands, who can manage “low level infrastructure issues” in a cost-efficient way through economies of scale. When a security defect is discovered, it’s likely the provider can quickly patch all of the instances of the software, and centrally determine if the defect had any consequence (i.e. it was used to compromise data).
If additional security is desired, additional security controls can be applied – matched to the value of the information. For example, organizations concerned about protecting the privacy of their data may choose to encrypt it before backing it up into a cloud-based solution. The encryption will cost some additional CPU time, and add a bit more complexity to the restoration process. However, it’s a cost that that can be readily accepted.
The Cloud – Personal
At a personal level, “the cloud” allows a consumer to do more with less, and allocate valuable time and money in other ways.
Individuals sitting on the sidelines — who don’t trust the cloud — will dwindle over time as reasonable mitigations are developed to alleviate concerns. For example, many online backup providers offer the ability to encrypt data with keys that are unknown to them (thus partially alleviating the concern that the provider’s employees can view data stored by its customers. I say partially because you still need to trust that the software is doing what they say!).
New services (such as Lastpass) are emerging to protect the most secret of our secret information (passwords). A few years ago, I couldn’t imagine that such a service would be widely adopted. However, now, it seems to be trickling into the “essential software” list of well-respected technologists.
The Cloud – Business
It’s a bit different at the business level.
Many businesses today are sitting on the cloud sidelines. This is because using the cloud for business purposes isn’t quite mainstream. From an architectural perspective, there are questions pertaining to the performance and manageability of cloud-based resources, and if the focus should be on “private clouds” (locally hosted resources that use similar patterns and practices related to cloud computing) rather then “public clouds.”
IT shops, who for the last 10 years have been fighting patch management, auditing, and other security issues, need time to understand if the cloud can meet the dizzying array of requirements that have emerged from the “post-9/11 security boom.”
Is the cloud right for business?
So, is “the cloud” right for your business? This is a serious decision – one that could cost a business its reputation. Thus, it has to be answered with clear conviction rather than the typical illusion associated with security.
Here’s a start: ask these three questions and discuss the answers with your team – including your security pros – to start to find out:
1 – What regulations is the business subject to? What operational principles and policies does the business have? Can the cloud provider provide an adequate level of support? If not, can deficiencies be mitigated?
2 – Does the cloud provider offer security controls that allow an adequate level of protection? If not, can deficiencies be mitigated?
3 – Does the cloud provider offer a level of operational transparency, so appropriate metrics and logs can be used for monitoring and reporting?
About Craig Nelson
Craig Nelson works at Microsoft, and is the host of the Cloud404 Blog (http://blog.cloud404.com). His expertise and education is in incident response, computer forensics, and security architecture.
Engage with Michael
-
Journey Into the Breach
